Underground: Tales of Hacking, Madness and Obsession from the Electronic Frontier (45 page)

BOOK: Underground: Tales of Hacking, Madness and Obsession from the Electronic Frontier
12.31Mb size Format: txt, pdf, ePub

Mendax listened anxiously as the NorTel modem searched for his modem by squealing high-pitched noises into the telephone line. No modem here. Go on, hang up.

Suddenly, silence.

OK, thought Mendax. Just 90 seconds to go. Just wait here for a minute and a half. Just hope the exchange times out. Just pray there’s no trace.

Then someone picked up the telephone at the NorTel end. Mendax started. He heard several voices, male and female, in the background.

Jesus. What were these NorTel people on about? Mendax was so quiet he almost stopped breathing. There was silence at the receivers on both ends of that telephone line. It was a tense waiting game. Mendax heard his heart racing.

A good hacker has nerves of steel. He could stare down the toughest, stony-faced poker player. Most importantly, he never panics. He never just hangs up in a flurry of fear.

Then someone in the NorTel office--a woman--said out loud in a confused voice, ‘There’s nothing there. There’s nothing there at all.’

She hung up.

Mendax waited. He still would not hang up until he was sure there was no trace. Ninety seconds passed before the phone timed out. The fast beeping of a timed-out telephone connection never sounded so good.

Mendax sat frozen at his desk as his mind replayed the events of the past half hour again and again. No more NorTel. Way too dangerous. He was lucky he had escaped unidentified. NorTel had discovered him before they could put a trace on the line, but the company would almost certainly put a trace on the dial-up lines now. NorTel was very tight with Telecom. If anyone could get a trace up quickly, NorTel could. Mendax had to warn Prime Suspect and Trax.

First thing in the morning, Mendax rang Trax and told him to stay away from NorTel. Then he tried Prime Suspect.

The telephone was engaged.

Perhaps Prime Suspect’s mother was on the line, chatting. Maybe Prime Suspect was talking to a friend.

Mendax tried again. And again. And again. He began to get worried.

What if Prime Suspect was on NorTel at that moment? What if a trace had been installed? What if they had called in the Feds?

Mendax phoned Trax and asked if there was any way they could manipulate the exchange in order to interrupt the call. There wasn’t.

‘Trax, you’re the master phreaker,’ Mendax pleaded. ‘Do something.

Interrupt the connection. Disconnect him.’

‘Can’t be done. He’s on a step-by-step telephone exchange. There’s nothing we can do.’

Nothing? One of Australia’s best hacker-phreaker teams couldn’t break one telephone call. They could take control of whole telephone exchanges but they couldn’t interrupt one lousy phone call. Jesus.

Several hours later, Mendax was able to get through to his fellow IS

hacker. It was an abrupt greeting.

‘Just tell me one thing. Tell me you haven’t been in NorTel today?’

There was a long pause before Prime Suspect answered.

‘I have been in NorTel today.’

_________________________________________________________________

Chapter 9 -- Operation Weather
_________________________________________________________________

The world is crashing down on me tonight

The walls are closing in on me tonight

-- from ‘Outbreak of Love’ on Earth and Sun and Moon by Midnight Oil The AFP was frustrated. A group of hackers were using the Royal Melbourne Institute of Technology (RMIT) as a launchpad for hacking attacks on Australian companies, research institutes and a series of overseas sites.

Despite their best efforts, the detectives in the AFP’s Southern Region Computer Crimes Unit hadn’t been able to determine who was behind the attacks. They suspected it was a small group of Melbourne-based hackers who worked together. However, there were so much hacker activity at RMIT it was difficult to know for sure. There could have been one organised group, or several. Or perhaps there was one small group along with a collection of loners who were making enough noise to distort the picture.

Still, it should have been a straightforward operation. The AFP could trace hackers in this sort of situation with their hands tied behind their backs. Arrange for Telecom to whack a last party recall trace on all incoming lines to the RMIT modems. Wait for a hacker to logon, then isolate which modem he was using. Clip that modem line and wait for Telecom to trace that line back to its point of origin.

However, things at RMIT were not working that way. The line traces began failing, and not just occasionally. All the time.

Whenever RMIT staff found the hackers on-line, they clipped the lines and Telecom began tracking the winding path back to the originating phone number. En route, the trail went dead. It was as if the hackers knew they were being traced ... almost as if they were manipulating the telephone system to defeat the AFP investigation.

The next generation of hackers seemed to have a new-found sophistication which frustrated AFP detectives at every turn. Then, on 13 October 1990, the AFP got lucky. Perhaps the hackers had been lazy that day, or maybe they just had technical problems using their traceless phreaking techniques. Prime Suspect couldn’t use Trax’s traceless phreaking method from his home because he was on a step-by-step exchange, and sometimes Trax didn’t use the technique.

Whatever the reason, Telecom managed to successfully complete two line traces from RMIT and the AFP now had two addresses and two names.

Prime Suspect and Trax.

‘Hello, Prime Suspect.’

‘Hiya, Mendax. How’s tricks?’

‘Good. Did you see that RMIT email? The one in Geoff Huston’s mailbox?’ Mendax walked over to open a window as he spoke. It was spring, 1991, and the weather was unseasonably warm.

‘I did. Pretty amazing. RMIT looks like it will finally be getting rid of those line traces.’

‘RMIT definitely wants out,’ Mendax said emphatically.

‘Yep. Looks like the people at RMIT are sick of Mr Day crawling all over their computers with line traces.’

‘Yeah. That admin at RMIT was pretty good, standing up to AARNET and the AFP. I figure Geoff Huston must be giving him a hard time.’

‘I bet.’ Prime Suspect paused. ‘You reckon the Feds have dropped the line traces for real?’

‘Looks like it. I mean if RMIT kicks them out, there isn’t much the Feds can do without the uni’s cooperation. The letter sounded like they just wanted to get on with securing their systems. Hang on. I’ve got it here.’

Mendax pulled up a letter on his computer and scrolled through it.

From [email protected] Tue May 28 09:32:31

1991

Received: by jatz.aarnet.edu.au id AA07461

(5.65+/IDA-1.3.5 for pte900); Tue, 28 May 91 09:31:59 +1000

Received: from possum.ecg.rmit.OZ.AU by jatz.aarnet.edu.au with SMTP

id AA07457

(5.65+/IDA-1.3.5 for /usr/lib/sendmail -oi -faarnet-contacts-request aarnet-contacts-recipients); Tue, 28 May 91 09:31:57 +1000

Received: by possum.ecg.rmit.OZ.AU for [email protected]) Date: Tue, 28 May 91 09:32:08 +1000

From: [email protected] (Alan Young) Message-Id: <[email protected]> To: [email protected]

Subject: Re: Hackers

Status: RO

While no one would disagree that ‘Hacking’ is bad and should be stopped, or at least minimised there are several observations which I have made over the last six or eight months relating to the persuit of these people:

1. The cost involved was significant, we had a CSO working in conjunction with the Commonwealth Police for almost three months full time.

2. While not a criticism of our staff, people lost sight of the ball, the chase became the most important aspect of the whole exercise.

3. Catching Hackers (and charging them) is almost impossible, you have to virtually break into their premises and catch them logged on to an unauthorised machine.

4. If you do happen to catch and charge them, the cost of prosecution is high, and a successful outcome is by no ways assured. There may be some deterrent value in at least catching and prosecuting?

5. Continued pursuit of people involved requires doors to be left open, this unfortunately exposes other sites and has subjected us to some criticism.

The whole issue is very complex, and in some respects it is a case of diminishing returns. A fine balance has to be maintained between freedom, and the prevention of abuse, this appears to be the challenge.

Allan Young

RMIT

‘Yeah, I mean, this RMIT guy is basically saying they are not going to catch us anyway, so why are they wasting all this time and money?’

‘Yep. The Feds were in there for at least three months,’ Prime Suspect said. ‘Sounded more like nine months though.’

‘Hmm. Yeah, nothing we didn’t know already though.’

‘Pretty obvious, leaving those accounts open all the time like they did. I reckon that looked pretty suspicious, even if we hadn’t gotten the email.’

‘Definitely,’ Mendax agreed. ‘Lots of other hackers in RMIT too. I wonder if they figured it out.’

‘Hmm. They’re gonna be screwed if they haven’t been careful.’

‘I don’t think the Feds have gotten anyone though.’

‘Yeah?’ Prime Suspect asked.

‘Well, if they had, why would they leave those accounts open? Why would RMIT keep a full-time staff person on?’

‘Doesn’t make sense.’

‘No,’ Mendax said. ‘I’d be pretty sure RMIT has kicked them out.’

‘Yeah, told them, "You had you’re chance, boys. Couldn’t catch anyone.

Now pack your bags".’

‘Right.’ Mendax paused. ‘Don’t know about NorTel though.’

‘Mmm, yeah,’ Prime Suspect said. Then, as usual, a silence began to descend on the conversation.

‘Running out of things to say ...’ Mendax said finally. They were good enough friends for him to be blunt with Prime Suspect.

‘Yeah.’

More silence.

Mendax thought how strange it was to be such good friends with someone, to work so closely with him, and yet to always run out of conversation.

‘OK, well, I better go. Things to do,’ Mendax said in a friendly voice.

‘Yeah, OK. Bye Mendax,’ Prime Suspect said cheerfully.

Mendax hung up.

Prime Suspect hung up.

And the AFP stayed on the line.

In the twelve months following the initial line trace in late 1990, the AFP continued to monitor the RMIT dial-up lines. The line traces kept failing again and again. But as new reports of hacker attacks rolled in, there seemed to be a discernible pattern in many of the attacks. Detectives began to piece together a picture of their prey.

In 1990 and 1991, RMIT dial-ups and computers were riddled with hackers, many of whom used the university’s systems as a nest--a place to store files, and launch further attacks. They frolicked in the system almost openly, often using RMIT as a place to chat on-line with each other. The institute served as the perfect launchpad. It was only a local phone call away, it had a live Internet connection, a reasonably powerful set of computers and very poor security. Hacker heaven.

The police knew this, and they asked computer staff to keep the security holes open so they could monitor hacker activity. With perhaps a dozen different hackers--maybe more--inside RMIT, the task of isolating a single cell of two or three organised hackers responsible for the more serious attacks was not going to be easy.

By the middle of 1991, however, there was a growing reluctance among some RMIT staff to continue leaving their computers wide open. On 28

August, Allan Young, the head of RMIT’s Electronic Communications Group, told the AFP that the institute wanted to close up the security holes. The AFP did not like this one bit, but when they complained Young told them, in essence, go talk to Geoff Huston at AARNET and to the RMIT director.

The AFP was being squeezed out, largely because they had taken so long conducting their investigation. RMIT couldn’t reveal the AFP

investigation to anyone, so it was being embarrassed in front of dozens of other research institutions which assumed it had no idea how to secure its computers. Allan Young couldn’t go to a conference with other AARNET representatives without being hassled about ‘the hacker problem’ at RMIT. Meanwhile, his computer staff lost time playing cops-and-robbers--and ignored their real work.

However, as RMIT prepared to phase out the AFP traps, the police had a lucky break from a different quarter--NorTel. On 16 September, a line trace from a NorTel dial-up, initiated after a complaint about the hackers to the police, was successful. A fortnight later, on 1

October, the AFP began tapping Prime Suspect’s telephone. The hackers might be watching the police watch them, but the police were closing in. The taps led back to Trax, and then to someone new--Mendax.

The AFP considered putting taps on Mendax and Trax’s telephones as well. It was a decision to be weighed up carefully. Telephone taps were expensive, and often needed to be in place for at least a month.

They did, however, provide a reliable record of exactly what the hacker was doing on-line.

Before police could move on setting up additional taps in Operation Weather, the plot took another dramatic turn when one of the IS

hackers did something which took the AFP completely by surprise.

Trax turned himself in to the police.

On 29 October Prime Suspect was celebrating. His mum had cooked him a nice dinner in honour of finishing his year 12 classes, and then driven him to Vermont for a swot-vac party. When she arrived back home she pottered around for an hour and a half, feeding her old dog Lizzy and tidying up. At 11 p.m. she decided to call it a night.

Not much later, Lizzy barked.

‘Are you home so soon?’ Prime Suspect’s mother called out. ‘Party not much fun?’

No-one answered.

She sat up in bed. When there was still no answer, her mind raced to reports of a spate of burglaries in the neighbourhood. There had even been a few assaults.

A muffled male voice came from outside the front door. ‘Ma’am. Open the door.’

She stood up and walked to the front door.

Other books

With My Little Eye by Francis King
Patriot Acts by Greg Rucka
The Witches: Salem, 1692 by Stacy Schiff
A Lie Unraveled by Constance Masters
Love, Me by Tiffany White
In Her Eyes by Wesley Banks
Unmatchable by Sky Corgan
Christmas at Thompson Hall by Anthony Trollope